TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: TheDude:dev
Branches Tags
TheDude:12-3-1-notes-fixes
TheDude:45001-component-to-show-the-list-of-non-working-days-of-year
TheDude:45827-project-list-dropdown-actions-cut-off
TheDude:Small-docs-fix
TheDude:bug-process-documentation
TheDude:bug/36827-creating-work-package-in-status-not-available-for-work-package-type
TheDude:bug/41714-clicking-on-files-tab-scrolls-up-on-ios
TheDude:bug/41851-blank-email-reminders-page-when-creating-account-manually
TheDude:bug/43193-remove-oauth-cookie-after-successful-authorization-against-nextcloud
TheDude:bug/43323-nextcloud-validation-error-in-new-storage-host-field
TheDude:bug/43504-date-picker-not-working-as-expected-for-utc-time-hour-minus
TheDude:bug/44924-error-in-souce-string-for-team-planner
TheDude:bump/angular13
TheDude:chore/file-list-padding-overwrite
TheDude:chore/fix-error-toast-for-broken-oauth-data
TheDude:chore/restructure-file-list-style
TheDude:code-maintenance/45463-apply-rails-5-0-defaults
TheDude:dev
TheDude:display-skeleton-view-over-team-planner-calendar
TheDude:docker-install
TheDude:docs-add-details-follow-precede-gantt-distance
TheDude:docs-add-details-follow-precede-gantt-distance-2
TheDude:docs-update-to-notifications
TheDude:docs-updates
TheDude:docs-updates-for-12.5
TheDude:documentation/design-system
TheDude:feat/design-system
TheDude:featuer/26688/in-app-notifications-table-change
TheDude:feature/26688/ian-announcements
TheDude:feature/37398-select-input-none-option
TheDude:feature/37441-dynamic-form-v2
TheDude:feature/40228-openapi-spec
TheDude:feature/40228-openapi-specification-part-2
TheDude:feature/41530-copying-a-project-shall-also-copy-file-links-attached-to-all-work-packages
TheDude:feature/42358-standardise-date-pickers
TheDude:feature/42358-standardise-date-pickers-2
TheDude:feature/42358-standardise-date-pickers-drop-modal-portal
TheDude:feature/43118-access-project-dropdown-entries-via-arrow-keys
TheDude:feature/43638-update-team-planner-and-calendar-for-duration-and-non-working-days-rebased
TheDude:feature/43644-revoke-access-to-storage-granted-by-oauth
TheDude:feature/44212-new-release-teaser-block-for-123
TheDude:feature/45963-remove-select-all-and-open-storage-interaction-elements-from-file-pickers
TheDude:feature/api_v3_activities_index
TheDude:feature/documenting-services-and-contracts
TheDude:feature/ee-date-alerts
TheDude:feature/file-links-oauth-connection-manager-rebased
TheDude:feature/in-app-notifications-settings
TheDude:feature/invite-user-modal
TheDude:feature/notification_signaling
TheDude:feature/openapi-spec-and-swagger-ui
TheDude:feature/placeholder-users
TheDude:feature/settings_api
TheDude:feature/spot-list-tooltip-rework
TheDude:feature/team-planner-fullcalendar
TheDude:feature/translations-hierarchy
TheDude:fix-column-width-including-ngselect
TheDude:fix-tab-info-not-updated-in-notification-center
TheDude:fix/34436-edit-backlog-date-focus-backlog-details
TheDude:fix/34436-edit-backlog-date-focus-backlog-details-firefox-quirk
TheDude:fix/35563-hide-boards-user-is-not-allowed
TheDude:fix/36521-Saving-changes-to-user-profile-after-handling-error-message-leads-to-user-profile
TheDude:fix/37509/modal-position-relative
TheDude:fix/39123-mobile-tab-overflow
TheDude:fix/39833-work-package-parent-shrink
TheDude:fix/41437-project-selector
TheDude:fix/41535-datepicker-overflow
TheDude:fix/42397-project-filter-is-not-applied-in-embedded-table
TheDude:fix/43085/default-cf-value-filter
TheDude:fix/43230-toggle-disabled-state-not-defined
TheDude:fix/43259-the-list-style-in-the-nextcloud-section-is-not-correct
TheDude:fix/44197-sort-workpackages-by-updated-at
TheDude:fix/44846-custom-field-multi-select
TheDude:fix/45586/totp-clock-error-discoverability
TheDude:fix/activity-change-detection
TheDude:fix/activity-tab-spec
TheDude:fix/api-spec-storage-files
TheDude:fix/attachments-drag-n-drop-chrome
TheDude:fix/comment-number-cut-off-on-moblie
TheDude:fix/custom-plugin-frozen
TheDude:fix/improve_scheduling_performance-with-simpler_sql
TheDude:fix/inline-wp-button-macro
TheDude:fix/json_serialize_delayed_job
TheDude:fix/missing-omniauth-strategy
TheDude:fix/notification_and_wp_visiblity_check_performance
TheDude:fix/op-sidemenu-href
TheDude:fix/op-sidemenu-onpush
TheDude:fix/rails_7_scope_merging_on_index
TheDude:fix/re-enable-rake-task
TheDude:fix/reject-invalid-host-headers
TheDude:fix/remove-differential-building
TheDude:fix/run-url-github
TheDude:fix/selector_for_board_specs
TheDude:fix/storybook-zone-aware-promise
TheDude:fix/update_robot_txt
TheDude:fix/whitelist_date_on_config_yaml_load
TheDude:fix/wysiwyg-changes_wo_ckeditor
TheDude:hal_presenter_demo
TheDude:housekeeping/update-rxjs
TheDude:implementation-wp-quick-add-modal-component
TheDude:implementation/42204-add-file-links-collection-to-work-package-resource
TheDude:implementation/42379-add-endpoint-to-update-cache-with-live-data
TheDude:implementation/42843-add-authorization-state-to-storages-api-endpoint
TheDude:implementation/43693-add-file-link-list-component-to-new-work-package-form
TheDude:implementation/45083-update-look-of-activity-items-in-activity-module-for-project-and-work-packages
TheDude:integration/outdated_10.5
TheDude:packaging/sles15
TheDude:refactor/autocompleters
TheDude:refactor/hal-resource-2
TheDude:refactor/handle-prettier-dependency
TheDude:release/11.2
TheDude:release/11.3
TheDude:release/11.4
TheDude:release/12.0
TheDude:release/12.1
TheDude:release/12.2
TheDude:release/12.3
TheDude:release/12.4
TheDude:revert-10203-fix/ldap-sync-mutex
TheDude:revert-9332-feature/37472-dynamic-forms-v2-flat-resources_links-model
TheDude:spike/fullcalendar-resources
TheDude:spike/hotwire
TheDude:spike/try-removing-shoulda
TheDude:stable/10
TheDude:stable/11
TheDude:stable/12
TheDude:stable/5
TheDude:stable/6
TheDude:stable/7
TheDude:stable/8
TheDude:stable/9
TheDude:task/41010-add-configure-work-packages-forms-(headlines)-(premium-feature)
TheDude:task/42684-project-settings-change-screenshot-and-customize-text
TheDude:task/42759-new-wording-for-note-in-the-english-user-guide
TheDude:task/43309-edit-forum-section-in-user-guide
TheDude:task/43662-edit-work-package-faq
TheDude:task/44235-user-guide-notification-typo-fix
TheDude:task/44256-user-guide-calculate-work-package-progress-with-work-package-status
TheDude:update-style-guide-screenshots
TheDude:wizard-test
...
pull from: TheDude:bug/43193-remove-oauth-cookie-after-successful-authorization-against-nextcloud
Branches Tags
TheDude:12-3-1-notes-fixes
TheDude:45001-component-to-show-the-list-of-non-working-days-of-year
TheDude:45827-project-list-dropdown-actions-cut-off
TheDude:Small-docs-fix
TheDude:bug-process-documentation
TheDude:bug/36827-creating-work-package-in-status-not-available-for-work-package-type
TheDude:bug/41714-clicking-on-files-tab-scrolls-up-on-ios
TheDude:bug/41851-blank-email-reminders-page-when-creating-account-manually
TheDude:bug/43193-remove-oauth-cookie-after-successful-authorization-against-nextcloud
TheDude:bug/43323-nextcloud-validation-error-in-new-storage-host-field
TheDude:bug/43504-date-picker-not-working-as-expected-for-utc-time-hour-minus
TheDude:bug/44924-error-in-souce-string-for-team-planner
TheDude:bump/angular13
TheDude:chore/file-list-padding-overwrite
TheDude:chore/fix-error-toast-for-broken-oauth-data
TheDude:chore/restructure-file-list-style
TheDude:code-maintenance/45463-apply-rails-5-0-defaults
TheDude:dev
TheDude:display-skeleton-view-over-team-planner-calendar
TheDude:docker-install
TheDude:docs-add-details-follow-precede-gantt-distance
TheDude:docs-add-details-follow-precede-gantt-distance-2
TheDude:docs-update-to-notifications
TheDude:docs-updates
TheDude:docs-updates-for-12.5
TheDude:documentation/design-system
TheDude:feat/design-system
TheDude:featuer/26688/in-app-notifications-table-change
TheDude:feature/26688/ian-announcements
TheDude:feature/37398-select-input-none-option
TheDude:feature/37441-dynamic-form-v2
TheDude:feature/40228-openapi-spec
TheDude:feature/40228-openapi-specification-part-2
TheDude:feature/41530-copying-a-project-shall-also-copy-file-links-attached-to-all-work-packages
TheDude:feature/42358-standardise-date-pickers
TheDude:feature/42358-standardise-date-pickers-2
TheDude:feature/42358-standardise-date-pickers-drop-modal-portal
TheDude:feature/43118-access-project-dropdown-entries-via-arrow-keys
TheDude:feature/43638-update-team-planner-and-calendar-for-duration-and-non-working-days-rebased
TheDude:feature/43644-revoke-access-to-storage-granted-by-oauth
TheDude:feature/44212-new-release-teaser-block-for-123
TheDude:feature/45963-remove-select-all-and-open-storage-interaction-elements-from-file-pickers
TheDude:feature/api_v3_activities_index
TheDude:feature/documenting-services-and-contracts
TheDude:feature/ee-date-alerts
TheDude:feature/file-links-oauth-connection-manager-rebased
TheDude:feature/in-app-notifications-settings
TheDude:feature/invite-user-modal
TheDude:feature/notification_signaling
TheDude:feature/openapi-spec-and-swagger-ui
TheDude:feature/placeholder-users
TheDude:feature/settings_api
TheDude:feature/spot-list-tooltip-rework
TheDude:feature/team-planner-fullcalendar
TheDude:feature/translations-hierarchy
TheDude:fix-column-width-including-ngselect
TheDude:fix-tab-info-not-updated-in-notification-center
TheDude:fix/34436-edit-backlog-date-focus-backlog-details
TheDude:fix/34436-edit-backlog-date-focus-backlog-details-firefox-quirk
TheDude:fix/35563-hide-boards-user-is-not-allowed
TheDude:fix/36521-Saving-changes-to-user-profile-after-handling-error-message-leads-to-user-profile
TheDude:fix/37509/modal-position-relative
TheDude:fix/39123-mobile-tab-overflow
TheDude:fix/39833-work-package-parent-shrink
TheDude:fix/41437-project-selector
TheDude:fix/41535-datepicker-overflow
TheDude:fix/42397-project-filter-is-not-applied-in-embedded-table
TheDude:fix/43085/default-cf-value-filter
TheDude:fix/43230-toggle-disabled-state-not-defined
TheDude:fix/43259-the-list-style-in-the-nextcloud-section-is-not-correct
TheDude:fix/44197-sort-workpackages-by-updated-at
TheDude:fix/44846-custom-field-multi-select
TheDude:fix/45586/totp-clock-error-discoverability
TheDude:fix/activity-change-detection
TheDude:fix/activity-tab-spec
TheDude:fix/api-spec-storage-files
TheDude:fix/attachments-drag-n-drop-chrome
TheDude:fix/comment-number-cut-off-on-moblie
TheDude:fix/custom-plugin-frozen
TheDude:fix/improve_scheduling_performance-with-simpler_sql
TheDude:fix/inline-wp-button-macro
TheDude:fix/json_serialize_delayed_job
TheDude:fix/missing-omniauth-strategy
TheDude:fix/notification_and_wp_visiblity_check_performance
TheDude:fix/op-sidemenu-href
TheDude:fix/op-sidemenu-onpush
TheDude:fix/rails_7_scope_merging_on_index
TheDude:fix/re-enable-rake-task
TheDude:fix/reject-invalid-host-headers
TheDude:fix/remove-differential-building
TheDude:fix/run-url-github
TheDude:fix/selector_for_board_specs
TheDude:fix/storybook-zone-aware-promise
TheDude:fix/update_robot_txt
TheDude:fix/whitelist_date_on_config_yaml_load
TheDude:fix/wysiwyg-changes_wo_ckeditor
TheDude:hal_presenter_demo
TheDude:housekeeping/update-rxjs
TheDude:implementation-wp-quick-add-modal-component
TheDude:implementation/42204-add-file-links-collection-to-work-package-resource
TheDude:implementation/42379-add-endpoint-to-update-cache-with-live-data
TheDude:implementation/42843-add-authorization-state-to-storages-api-endpoint
TheDude:implementation/43693-add-file-link-list-component-to-new-work-package-form
TheDude:implementation/45083-update-look-of-activity-items-in-activity-module-for-project-and-work-packages
TheDude:integration/outdated_10.5
TheDude:packaging/sles15
TheDude:refactor/autocompleters
TheDude:refactor/hal-resource-2
TheDude:refactor/handle-prettier-dependency
TheDude:release/11.2
TheDude:release/11.3
TheDude:release/11.4
TheDude:release/12.0
TheDude:release/12.1
TheDude:release/12.2
TheDude:release/12.3
TheDude:release/12.4
TheDude:revert-10203-fix/ldap-sync-mutex
TheDude:revert-9332-feature/37472-dynamic-forms-v2-flat-resources_links-model
TheDude:spike/fullcalendar-resources
TheDude:spike/hotwire
TheDude:spike/try-removing-shoulda
TheDude:stable/10
TheDude:stable/11
TheDude:stable/12
TheDude:stable/5
TheDude:stable/6
TheDude:stable/7
TheDude:stable/8
TheDude:stable/9
TheDude:task/41010-add-configure-work-packages-forms-(headlines)-(premium-feature)
TheDude:task/42684-project-settings-change-screenshot-and-customize-text
TheDude:task/42759-new-wording-for-note-in-the-english-user-guide
TheDude:task/43309-edit-forum-section-in-user-guide
TheDude:task/43662-edit-work-package-faq
TheDude:task/44235-user-guide-notification-typo-fix
TheDude:task/44256-user-guide-calculate-work-package-progress-with-work-package-status
TheDude:update-style-guide-screenshots
TheDude:wizard-test

1 Commits
dev ... bug/43193-

Author SHA1 Message Date
Andreas Pfohl bd3fd0c32c
[#43193] Remove OAuth cookie after successful authorization against Nextcloud
2 years ago
4 changed files with 46 additions and 17 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats
  1. 2
      Gemfile
  2. 4
      Gemfile.lock
  3. 20
      app/controllers/oauth_clients_controller.rb
  4. 37
      app/services/oauth_clients/redirect_uri_from_state_service.rb

2
Gemfile
Unescape View File

@ -207,6 +207,8 @@ gem "sentry-ruby", '~> 5.3.0'
# Appsignal integration
gem "appsignal", "~> 3.0", require: false
gem 'dry-monads', '~> 1.4'
group :test do
gem 'launchy', '~> 2.5.0'
gem 'rack-test', '~> 2.0.0'

4
Gemfile.lock
Unescape View File

@ -439,6 +439,9 @@ GEM
dry-logic (1.2.0)
concurrent-ruby (~> 1.0)
dry-core (~> 0.5, >= 0.5)
dry-monads (1.4.0)
concurrent-ruby (~> 1.0)
dry-core (~> 0.7)
dry-types (1.5.1)
concurrent-ruby (~> 1.0)
dry-container (~> 0.3)
@ -1052,6 +1055,7 @@ DEPENDENCIES
disposable (~> 0.6.2)
doorkeeper (~> 5.5.0)
dotenv-rails
dry-monads (~> 1.4)
email_validator (~> 2.2.3)
equivalent-xml (~> 0.6)
escape_utils (~> 1.3)

20
app/controllers/oauth_clients_controller.rb
Unescape View File

@ -29,20 +29,20 @@
# This controller handles OAuth2 Authorization Code Grant redirects from a Authorization Server to
# "callback" endpoint.
class OAuthClientsController < ApplicationController
before_action :set_oauth_state
before_action :find_oauth_client
before_action :set_redirect_uri
before_action :set_code
before_action :set_connection_manager
after_action :clear_oauth_state_cookie
# Provide the OAuth2 "callback" endpoint.
# The Authorization Server redirects
# here after successful authentication and authorization.
# This endpoint gets a "code" parameter that cryptographically
# contains a grant.
# We get here by a URL like this:
# http://localhost:4200/oauth_clients/asdf12341234qsdfasdfasdf/callback?
# state=http%3A%2F%2Flocalhost%3A4200%2Fprojects%2Fdemo-project%2Foauth2_example&
# code=MQoOnUTJGFdAo5jBGD1SqnDH0PV6yioG7NoYM2zZZlK3g6LuKrGUmOxjIS1bIy7fHEfZy2WrgYcx
def callback
# Exchange the code with a token using a HTTP call to the Authorization Server
service_result = @connection_manager.code_to_token(@code)
@ -65,6 +65,14 @@ class OAuthClientsController < ApplicationController
private
def set_oauth_state
@oauth_state = params[:state]
end
def clear_oauth_state_cookie
cookies.delete("oauth_state_#{@oauth_state}") unless @oauth_state.nil?
end
def set_oauth_errors(service_result)
flash[:error] = ["#{t(:'oauth_client.errors.oauth_authorization_code_grant_had_errors')}:"]
service_result.errors.each do |error|
@ -94,7 +102,7 @@ class OAuthClientsController < ApplicationController
# redirect_uri is used by OpenProject to redirect to
# after receiving an OAuth2 access token. So it should not be blank.
service_result = ::OAuthClients::RedirectUriFromStateService
.new(state: params[:state], cookies:)
.new(state: @oauth_state, cookies:)
.call
if service_result.success?
@ -153,7 +161,7 @@ class OAuthClientsController < ApplicationController
def get_redirect_uri
::OAuthClients::RedirectUriFromStateService
.new(state: params[:state], cookies:)
.new(state: @oauth_state, cookies:)
.call
.result
end

37
app/services/oauth_clients/redirect_uri_from_state_service.rb
Unescape View File

@ -28,30 +28,45 @@
require "rack/oauth2"
require "uri/http"
require 'dry/monads'
require 'dry/monads/do'
module OAuthClients
class RedirectUriFromStateService
include Dry::Monads[:maybe]
include Dry::Monads::Do.for(:process)
def initialize(state:, cookies:)
@state = state
@state = Maybe(state)
@cookies = cookies
end
def call
redirect_uri = oauth_state_cookie
if redirect_uri.present? && ::API::V3::Utilities::PathHelper::ApiV3Path::same_origin?(redirect_uri)
ServiceResult.success(result: redirect_uri)
else
ServiceResult.failure
end
process(@cookies, @state)
.fmap { |uri| ServiceResult.success(result: uri) }
.value_or(ServiceResult.failure)
end
private
def oauth_state_cookie
return nil if @state.blank?
def process(cookies, state)
state_key = yield state
uri = yield callback_uri_from_cookies(cookies, "oauth_state_#{state_key}")
callback_uri = yield validate_callback_uri(uri)
Some(callback_uri)
end
def callback_uri_from_cookies(cookies, name)
Maybe(cookies[name])
end
@cookies["oauth_state_#{@state}"]
def validate_callback_uri(uri)
if ::API::V3::Utilities::PathHelper::ApiV3Path::same_origin?(uri)
Some(uri)
else
None()
end
end
end
end

Write Preview
Loading…
Cancel
Save